Dyre malware reborn as TrickBot now targeting Australian banks

TrickBot's recent samples reveal that the malware’s code appears to be based on an old Dyre codeReuters

Dyre malware, widely considered to be one of the world's most dangerous and powerful banking Trojans, appears to have made a comeback in a new avatar. Security researchers believe that a new malware called TrickBot, which was found targeting banking institutions in Australia, is likely an improved version of Dyre.

The Dyre malware seemingly disappeared almost overnight in November 2015 after Russian authorities arrested the cybergang running the banking Trojan. However, Dyre, which had been active since 2014, had already racked up millions of dollars by then, targeting banks and businesses in the UK, US and Australia. Security experts at cybersecurity firm Fidelis believe that someone linked to the now jailed Dyre gang is likely operating TrickBot.

Fidelis researchers noted that Dyre and TrickBot have "very similar functions and activities". Researchers also believe that Dyre has likely been heavily rewritten. "Based on these observations, it is our assessment with strong confidence that there is a clear link between Dyre and TrickBot but that there is considerable new development that has been invested into TrickBot. With moderate confidence, we assess that one of more of the original developers of Dyre is involved with TrickBot," said Fidelis threat researcher Jason Reaves.

Researchers found that TrickBot comes equipped with a custom crypter in TrickLoader, which was also used in the Cutwail spambot. According to Reaves, Cutwail "was a favorite of old Dyre crew" and was used fairly extensively as part of their various spam campaigns.

The new malware's recent samples, which researchers noted were identified as TrickBot, revealed that the malware's code appears to be based on an old Dyre code. However, Reaves added that TrickBot's code has been "rewritten to use things such as Microsoft CryptoAPI and COM."

Reaves added, "The bot also uses a very similar but slightly modified version of the old Dyre C2 decryption, this routine is then used for encrypting/decrypting all data respectively. The algorithm used by Dyre for generating the AES and IV from the first 48 bytes of data based on a rehashing scheme was commonly referred to as Dyre's derive_key function, this function was slightly changed in the new bot."

Fidelis researchers said that the first bots it studied were found to be designed to collect system information. However, on 13 October 2016, researchers uncovered a new bot with browser injection capabilities. They speculated that the malware authors are likely testing out the injects, converting and adding them to the new structure of the Trojan.

Reaves concluded, "While the bot is still missing quite a lot from what was previously seen in Dyre it is obvious that there is correlation between the code used in this bot and that from Dyre. As the bot appears in development they are pushing to rebuild their Cutwail botnet in preparation for future spam runs. It'll be interesting to see if TrickBot can reach or pass its predecessor."